For a small API, I need to maintain a session without using cookies. In my case, the client passes the session ID in a custom HTTP header.

php itself has the setting session.use_cookies that I can turn off for this purpose and the HttpFoundation component allows me to set that parameter as well.

But for some reason, FrameworkBundle allows only a subset of those session.* parameters in its configuration and use_cookies is not among them. I'm currently working around this issue by adding my own session storage service:

services:
    my_session_storage:
        class: Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage
        arguments:
            - { use_cookies: false }
            - @session.handler
            - @session.storage.metadata_bag

framework:
    session:
        storage_id: my_session_storage

What I'd like to do is this:

framework:
    session:
        use_cookies: false

The patch for this is trivial (see #13671, #15123). I'm just wondering if there has been a good reason for excluding this parameter from FrameworkBundle's configuration. Is some internal functionality seriously blowing up if I turn off session cookies or did somebody simply forget to add use_cookies to the whitelist of parameters?